Skip to main content

Module dlog_with_el_gamal_commitment

paillier_zk

Module dlog_with_el_gamal_commitment 

Source
Expand description

ZK-proof of discrete log with El-Gamal commitment. Called Пelog or Relog in the CGGMP24 papers.

§Description

Common inputs:

  • Curve E with generator $G$ of prime subgroup of size $q$
  • $L, M, X, Y, H$ are points on curve E

Prover has secret inputs $y, \lambda$ (scalars modulo $q$) such that $L = \lambda G, M = \lambda X + y G, Y = y H$

§Example

use paillier_zk::{dlog_with_el_gamal_commitment as p};
use generic_ec::{Point, Scalar, curves::Secp256k1 as E};

// Prover and verifier have a shared protocol state
let shared_state = "some shared state";

let mut rng = rand_core::OsRng;

// Prover knows lambda, y

let pdata = p::PrivateData {
    lambda: &Scalar::random(&mut rng),
    y: &Scalar::random(&mut rng),
};

// Common data known by both prover and verifier:

let x = Point::generator() * Scalar::random(&mut rng);
let h = Point::generator() * Scalar::random(&mut rng);

let data = p::Data {
    l: &(Point::generator() * pdata.lambda),
    m: &(Point::generator() * pdata.y + x * pdata.lambda),
    x: &x,
    y: &(h * pdata.y),
    h: &h,
};

// Generate non-interactive proof
let proof =
    p::non_interactive::prove::<E, sha2::Sha256>(
        &shared_state,
        data,
        pdata,
        &mut rng,
    )?;

// Proof and the data are sent to the verifier

send(&data, &proof);

// Verifier receives the data and the proof and verifies them

let (data, proof) = recv();
let r = p::non_interactive::verify::<E, sha2::Sha256>(
    &shared_state,
    data,
    &proof,
)?;

If the verification succeeded, verifier can continue communication with prover

Modules§

interactive
The interactive version of the ZK proof. Should be completed in 3 rounds: prover commits to data, verifier responds with a random challenge, and prover gives proof with commitment and challenge.
non_interactive
The non-interactive version of proof. Completed in one round, for example see the documentation of parent module.

Structs§

Aux
Auxiliary data known to both prover and verifier
Commitment
Prover’s first message, obtained by interactive::commit
Data
Public data that both parties know
InvalidProof
Error indicating that proof is invalid
NiProof
The non-interactive ZK proof. Computed by non_interactive::prove.
PrivateCommitment
Prover’s data accompanying the commitment. Kept as state between rounds in the interactive protocol.
PrivateData
Private data of prover
Proof
The ZK proof. Computed by interactive::prove.

Type Aliases§

Challenge
Verifier’s challenge to prover. Can be obtained deterministically by non_interactive::challenge or randomly by interactive::challenge